Slashdot Mirror

← Back to Stories (view on slashdot.org)

How the Code War Has Replaced the Cold War

Posted by Soulskill on from the time-to-update-the-rules-of-engagement dept.

An anonymous reader writes "After years on the defensive, governments are building their own offensive capabilities to deliver digital attacks against their enemies. It's all part of a secret arms race, where countries spend billions of dollars to create stockpiles of digital weapons and zero-day flaws. But is this making us any safer, or putting us and the internet at risk? 'Estonia is a small state with a population of just 1.3 million. However, it has a highly-developed online infrastructure, having invested heavily in e-government services, digital ID cards, and online banking. ... The attacks on Estonia were a turning point, proving that a digital bombardment could be used not just to derail a company or a website, but to attack a country. Since then, many nations have been scrambling to improve their digital defenses -- and their digital weapons. While the attacks on Estonia used relatively simple tools against a small target, bigger weapons are being built to take on some of the mightiest of targets.'"

44 of 79 comments (clear)

  1. Lots of challenges in dealing with this by cold+fjord · · Score: 4, Insightful

    Since they seem destined to exist I hope that the cyber weapons being built have adequate safeguards against their misuse or accidental use.

    Cyber warfare is worse than submarine warfare in terms of being able to identify an attacker. It provides the means for potentially anonymous devastating attacks. How will the world react to that?

    Cyber arms control will be difficult to achieve, at best, maybe impossible.

    Will a "Cyber Geneva Convention" be needed? No attacking hospitals, etc.?

    How will organized crime and black hats fit into this framework? Will they be in the new era what pirates were in the 1700s - 1800s?

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re: Lots of challenges in dealing with this by siddesu · · Score: 2

      We must not allow a byteshift gap!

    2. Re:Lots of challenges in dealing with this by Anonymous Coward · · Score: 2, Insightful

      Anonymous attacks? The even worse part is that it is possible to make it look like it was someone else that started the attack by going via insecure third-party systems and covering your tracks.

      But sure, we can trust the reports stating that China is one of the major cyber war actors. Despite them having insecure systems and anonymous hosting that anyone in the world can abuse....

    3. Re:Lots of challenges in dealing with this by K.+S.+Kyosuke · · Score: 1

      What do solar panels have to do with rare earths? Yeah, I'm quite sure they are also cheaper than titanium, which is another thing they have nothing to do with, but you could mention half an encyclopedia like that.

      --
      Ezekiel 23:20
    4. Re:Lots of challenges in dealing with this by XanC · · Score: 1, Informative

      http://lmgtfy.com/?q=solar+pan...

    5. Re:Lots of challenges in dealing with this by Anonymous Coward · · Score: 1

      Safeguards ? Like an Evil bit flag parser on my shellcode ?

    6. Re:Lots of challenges in dealing with this by Hognoxious · · Score: 3, Funny

      The even worse part is that it is possible to make it look like it was someone else that started the attack by going via insecure third-party systems and covering your tracks.

      That's always been possible, even with conventional attacks.

      For example, The Mossad & 9-!! ,$@#
      no carrier

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  2. If Goverment and Industry by stox · · Score: 1

    wasn't so downright negligent in their race to adopt new technology, most of the problem would not exist.

    --
    "To those who are overly cautious, everything is impossible. "
    1. Re:If Goverment and Industry by Anonymous Coward · · Score: 4, Insightful

      It isn't adopting new technology, it is doing so focusing being as cheap as possible in the short term, and damn the long run.

      In reality, I see at least six things that, had it been implemented earlier, would have saved us a lot of issues:

      1: The concept of tainted instructions and having anything a Web browser grab be viewed as potentially hostile. This means add-ons are restricted to a sub-context and only can get keyboard input if they have the focus (and they have to be clicked on to have that happen), and the OS the Web browser sits on not just isolate its processes in memory, but also the file system. This way, there isn't an undocumented API a compromised browser or add-on could use to expand its context.

      2: Moronic things like the USB protocol where a disk drive can present itself as a keyboard. It would be nice to have specific USB ports where only drives can register in one set, keyboards in another set, and so on.

      3: The almighty firewall as the answer to all remote hacking. This worked when hacks were incoming, but now with the primary means of attack holes in Web browsers, the focus needs to be on add-ons and the browser, then defense in depth.

      4: Backups got set aside. It wasn't that long ago when every serious PC had a tape drive with it because hard disks died, and tape was cheap, and worked well. Now that people think they can back up to hard disks (note, none I know of are archival grade), it is a matter of course to lose data.

      5: Trusting other people with security. When people stopped packing their own parachutes, the shit hit the fan. If one wants to store stuff with an offshore provider, great. Just encrypt the damn files before they leave the site.

      6: Final one... no security specs or audits whatsoever except for the US Government's FISMA compliance that can have random audits happen. Only time an audit happens in a lot of private companies is after a breach happens.

    2. Re:If Goverment and Industry by Anonymous Coward · · Score: 2, Insightful

      7. Equating a running process with a user and assigning privilege accordingly - this is a massive fail. It was relevant back in the day when researchers logged on to shared systems and ran programs they had written themselves. It assumes a complete knowledge of the program to be run, which has not been the case for 30 years, but is still the standard level of trust.

  3. Re:Two words : by Anonymous Coward · · Score: 2, Informative

    Only if done properly. If you allow your people to insert random storage devices between the systems then you are still vulnerable. One example using the mistakes made in the separation is Stuxnet.

  4. Re:Have we been hurt in this "war"? by Johann+Lau · · Score: 2, Interesting

    How does mass surveillance of private communications prevent DDOS attacks?

    Blackhats are on the same "side" from the perspective of the innocent people they are attacking, even when they fight against each other.

  5. Billions of dollars? by c0d3g33k · · Score: 4, Interesting

    Stockpiles of exploits? Sounds like some reporter is out of his/her depth and can't understand the difference between physical weapon stockpiles and software vulnerabilities. Welcome to the new Yellow Journalism. FUD, FUD and more FUD.

    1. Re:Billions of dollars? by Kjella · · Score: 3, Insightful

      I fail to see the problem with his choice of words, you find exploits and put them in an arsenal of attacks. Just because you count number of exploits and not numbers of guns it's still an accumulation of weapons set aside for future use in cyber-warfare. And of course it costs lots of money to maintain such an arsenal as old exploits are patched or the vulnerable software or hardware goes out of use, it doesn't have a shelf life like physical weapons but your capability degrades over time unless you supply it with new exploits not entirely unlike when your enemies upgrade their weapons capabilities making yours obsolete. At least it's no worse of an abuse than using "cyber warfare" for sending bits and bytes instead of bullets at each other.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Billions of dollars? by gnupun · · Score: 1

      What would happen to the exploits if these apps and services were reimplemented using safer languages like Java and .Net (i.e. replace C/C++) that don't allow buffer overflow/underflow? Sure, the hacker would still be able to crash the program, but it's highly unlikely he can gain control of the system or do any kind of crazy damage to important data.

    3. Re:Billions of dollars? by Entropius · · Score: 1

      Then those apps and services would run really, really slowly.

      (Yes, I know Java can be made to not suck, but every .NET program I've had to deal with has been clunky.)

  6. Estonia has 1.3 million.... by Bob_Who · · Score: 2

    E-stoners.

  7. Joke of a comparison by timeOday · · Score: 4, Insightful

    If cyber "war" has replaced nuclear war then that is an excellent trade. Even John Kerry was waxing nostalgic for the Cold War the other day. What a joke! Are people that dumb? Have we so quickly forgotten what it was like to face a REAL threat of annihilation and actual global destruction? I would take another 9/11 over another Cuban Missile Crisis any day of the week. Let alone some computer hacking.

    1. Re:Joke of a comparison by tragedy · · Score: 2, Insightful

      Technically speaking, most of those nuclear weapons everyone was afraid of back then are still there, just waiting to be fired. Now, rather than the Soviet Union, they're in the hands of Russia. A least nothing is going on that might increase tensions between Russia and the rest of the world right? Oh, and fortunately Russia isn't run by some hard-right authoritarian, obsessesed with projecting strength.

    2. Re:Joke of a comparison by kamapuaa · · Score: 1

      John Kerry said diplomacy was simpler then than it is today - considering his experience as a soldier and a prominent protestor in the Cold War, and now as a top diplomat, he might know what he's talking about.

      --
      Slashdot: providing anti-social weirdos a soapbox, since 1997.
    3. Re:Joke of a comparison by MerlynEmrys67 · · Score: 3, Interesting

      He may know what he is talking about, or maybe he just doesn't understand how good Kissinger was at his job. A master of a profession makes it look so easy that even someone with mediocre grades at Yale (He was outscored by W. after all - and see what people think of him) can do it. Turns out there are a lot of subtleties that I don't think our current batch of diplomats understand.

      --
      I have mod points and I am not afraid to use them
    4. Re:Joke of a comparison by Kjella · · Score: 4, Interesting

      Technically speaking, most of those nuclear weapons everyone was afraid of back then are still there, just waiting to be fired. Now, rather than the Soviet Union, they're in the hands of Russia. A least nothing is going on that might increase tensions between Russia and the rest of the world right? Oh, and fortunately Russia isn't run by some hard-right authoritarian, obsessesed with projecting strength.

      The Soviet Union with half of Europe as allies was a superpower. Russia is barely in the top 10 biggest economies of the world, they have 140 million men against 900 million in NATO. Their military technology and spending suffered during the reforms, by all means they're powerful but they got no chance of pulling off a victory. Putin is gambling that nobody wants to pick a fight with Russia over a few areas in Ukraine, if he's called on it they'd lose but probably not before a hundred million people have died. Unless of course China were to join on the Russian side, 1.35 billion people and the world's second biggest economy along with Russia's nukes would give NATO a real run for their money. Personally I think what's happening in Ukraine will push all the other countries in the "buffer zone" between NATO and Russia to seek NATO membership over Russia's objections.

      --
      Live today, because you never know what tomorrow brings
    5. Re:Joke of a comparison by tragedy · · Score: 1

      Russia still has the nuclear weapons that had everyone scared of nuclear annihilation back in the day. Well, technically the US has most of the nuclear weapons that had everyone scared of nuclear annihilation back in the day, but Russia still has its share.

    6. Re:Joke of a comparison by timeOday · · Score: 1

      That's why I said "even" John Kerry, I was surprised he said it. Vietnam was a flareup of the Cold War and killed about 60,000 of us and about 1,500,000 million of them. In absolute terms, what is going on now that compares?

    7. Re:Joke of a comparison by phantomfive · · Score: 1

      The thing about MAD, it isn't about winning. It's about "neither side can win." And Russia still has the power to ensure that no one who engages in war with them can win.

      --
      "First they came for the slanderers and i said nothing."
  8. good by stenvar · · Score: 3, Funny

    Instead of global thermonuclear war, we now have to worry about WoW going down. Seems like a good tradeoff to me.

    1. Re:good by Calibax · · Score: 4, Insightful

      Instead of global thermonuclear war, we now have to worry about WoW going down. Seems like a good tradeoff to me.

      Instead of WoW, worry about the national infrastructure. Imagine all the SCADA devices insecurely connected to the Internet going down more-or-less simultaneously. No electricity, natural gas, or water distribution systems, no sewage treatment, etc. After a few hours/days without electricity the backup systems would start dying, so no phones or Internet either.

      So no WoW, as you pointed out. But that would be the least of our problems :)

    2. Re:good by stenvar · · Score: 2

      The SCADA systems are hundreds of thousands of different platforms/version combinations. Many of them aren't even connected to the Internet, many are based on firmware. Most are easy to secure and restore if they get corrupted/attacked.

      "Cyberwarfare" really is a misnomer. In regular warfare, bombs and guns don't have compatibility problems, you permanently destroy infrastructure or occupy it, and you kill people trying to restore it; in "cyberwarfare", the attacks only work against compatible hardware/software, you (usually only) temporarily disable infrastructure, and you have no physical control over it or ways to harm the people restoring it.

      "Cyberwarfare" is a tempest in a teapot. It's an attempt by people to get massive amounts of funding for useless programs. The idea that "cyberwarfare" is analogous to warfare is ludicrous.

    3. Re:good by Agripa · · Score: 1

      Instead of WoW, worry about the national infrastructure. Imagine all the SCADA devices insecurely connected to the Internet going down more-or-less simultaneously. No electricity, natural gas, or water distribution systems, no sewage treatment, etc. After a few hours/days without electricity the backup systems would start dying, so no phones or Internet either.

      An easier target would be the banking and government systems. Just screwing up social security transfers would be effective if slower.

  9. Re:Have we been hurt in this "war"? by stenvar · · Score: 1

    I can't tell whether you're being serious or sarcastic.

  10. Re:Have we been hurt in this "war"? by king+neckbeard · · Score: 2, Interesting

    Yes, he hurt the attack side, which is the side we don't actually need. Give the military and spook budget to security research, and the code war becomes no more of a threat than a literal pissing contest.

    --
    This is my signature. There are many like it, but this one is mine.
  11. I know a lot of Russian programmers... by aralin · · Score: 3, Insightful

    ... and let me tell you, if Cyber War replaces Cold War, they are winning this time...

    --
    If programs would be read like poetry, most programmers would be Vogons.
  12. An interesting question for any country by zuse · · Score: 1

    Is the army protecting us from this?

    I.e. in the advent of a cyberwar will our army do anything to protect private infrastructure like the electricity supply or the banking system from harm?

    Right now: No.

    The book to read on this is "Cyber War: The Next Threat to National Security and What to Do About It" by Richard A. Clarke. A great read and very scary.

  13. Re:cool by Hognoxious · · Score: 1

    So do I.

    Let me know when it happens, will you?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  14. Re:Two words : by Wootery · · Score: 2

    Only if done properly.

    Sure, but this applies to every engineering solution ever, no?

  15. Re:Have we been hurt in this "war"? by HJED · · Score: 1

    How much (if any) does this negate his whistleblowing about domestic surveillance?

    Not at all, just because something immoral is being done for a strategic military reason does not make it more moral.

    --
    null
  16. Re:Have we been hurt in this "war"? by Entropius · · Score: 3, Insightful

    This.

    This isn't a war between Us and Them where we race to break each other's stuff.

    This is a war between people who would like to use computers to build nifty stuff to make people's lives better, and people who would like to break other people's computers to advance their political agendas.

  17. Re:cool by peragrin · · Score: 1

    exactly I want my Hoverboard, flying car, and FTL drive.

    --
    i thought once I was found, but it was only a dream.
  18. you trade a preventable class of vuln for more by raymorris · · Score: 1

    Buffer overflows are one important class of vulnerability. They are also fairly easy to prevent /detect in new code. Use strncpy, not strcpy, etc. Static analysis can flag the dangerous constructs 99.9% of the time.

    Java and C# are vulnerable to other, less readily identified vulnerabilities because key parts of the operations are hidden in the libraries and programmers are not accustomed to thinking about them. Both can easily have vulnerablities from memory management problems, but they can be harder to positively identify, especially for the typical .net programmer who doesn't normally think about memory management at all.

    I'm having trouble finding the right words to express the issue. Imagine cars had a automatic steering mode that worked 99.9% of the time - there was rarely any need to touch the wheel. We can picture young people who learn to drive in these cars would have their hands full while driving, saying "why shouldn't I be texting and eating, the car steers itself". Then that 0.1% would happen - every three years they'd crash into something because they don't even think about steering. .Net memory management is just like that - it works well enough, often enough, that most .Net programmers don't bother to learn under what conditions it doesn't work automatically, and what their code needs to allow it to work as designed. Every so often, it causes .net programs to crash or corrupt data on accident. Beyond accidents, someone actively attacking memory management flaws in a .net application can easily cause damage, just as they can with errors in using the more direct memory management practices.

     

  19. Re:Sad to see this site go full retard Republican by CRCulver · · Score: 1

    Rational people support Russians becoming a part of Russia while they want to start a war over it.

    Rational people look at the polling statistics of how many (ethnic) Russians in Ukraine actually want to become a part of Russia. Support for joining Russia has never broke 30% in Eastern Ukraine even with widespread anger and disappointment at the new government.

    Even in Crimea, where earlier polling suggests only a slight majority wanted to join Russia (ignore the referendum which was organized quickly to avoid scrutiny, and which was boycotted by many ethnic Ukrainians and Tatars), one state taking territory from another -- as opposed to a reasonable compromise of letting the region become independent -- on the basis of a mere slight majority is hardly fair.

  20. And this is why... by davidwr · · Score: 1

    ... mission-critical things like banking and providing essential government services should "play it conservatively" and not be at the forefront of technology.

    OR, where it makes sense for them to be at the forefront, the "old way of doing things" should be kept around until after the "new" way has proven it is robust enough for the task.

    Being "robust enough for the task" means, among other things, not having unacceptable levels of downtime under normal or abnormal-but-common conditions (such as DDOS attacks) and having an acceptable and well-tested contingency plan when the unexpected or expected-but-rare event happens (such as a large earthquake taking out your primary and backup data centers and most of your communications, leaving only your "hardened" disaster-response and other "can't-fail during a public emergency" systems mostly intact).

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  21. Code war defined by davidwr · · Score: 1

    Code war: What the US and the Soviet Union had during the nasopharyngitis outbreaks of the 1950s through the 1980s.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  22. Must everything be "online"? by mschwanke97402 · · Score: 1

    Of course instead of laying off everyone in sight in favor of making everything "web-based" and "self-service" major corps and governments might try using people to deal with people but of course that cuts into bonuses and dividends...

  23. Imagine 9/11, but with no radio or phone. Gradual by raymorris · · Score: 1

    Imagine a 9/11 style attack, or a "poison gas in the subway", but at the same time they take out both the cell phone network and the most important radio trunking system used by first responders. The next day, the bad guys trigger the New York blackout.

    Or, think back to how the US won the cold war - slowly, gradually, by economically outperforming the Soviets. The US is already the target of sustained, large scale attacks. If those attacks improve to the point that it costs 1%-3% of GDP in defense or damages, over ten years SIGNIFICANTLY changes the international balance of power.